Question: If I just install Linux (for argument's sake let's say RedHat 5.2) and do nothing else in the way of configuration; then install NT Server and do nothing else to it, if I am totally clueless about security, then which one of these machines is more likely to get cracked?

My employer will never let me install Linux on one of our servers. He knows I do not have time to be a real sysadmin and he is convinced that NT is more secure right out of the box.

Is he right? Would this guy's system have been cracked if he'd been running NT?

My favorite is retrobution strikes. That is where you place a script to watch your logs. When you see some script kiddy running an exploit against your system, you hit him with all of your favorite denial of service attacks. The poor haxor's machine with suddenly be flooded (especially when they are trying to take on my T3.)

So why are you assuming that the only way to get a root shell on more than one box is to be a script kiddie? Some of us administrate more than one box. I'm in the 20+ category, myself, and they're all legit...

Another little trick I like to do is to use chattr to make all the system log files append only (+a) on the filesystem level (at least with linux's ext2 partitions). A script kiddie can rm or edit them all he wants but they will not alter, just get appended to. Of course this will mess up log rotation a bit, so you will have to modifiy the rotation scripts so they modify the attributes before rotation and reset them afterwards. An addendum to this is to remove or rename lsattr and chattr to something else, this wont stop them ftping in a new copy if they do know what they are for but it will slow down the script kiddies which is the whole point.

We had been running RedHat 4.2 but we have removed the server since I was in the middle of building the new server at the time anyway. The new one will be running RedHat 5.2 when the hard drives arrive.

I fortunately have a backup of my code (minus about 60 hours of work.) But no one else backed theirs up at all:(

Todd

Every 45 seconds, another arrest for Linux. 695000 last year. It's time for a change.

You have to have backups, even it it's just copying the files to another drive or to another computer on the network. You have to use hosts.allow/hosts.deny, and you have to turn everything off you're not using - Red Hat is especially liberal with inetd by default. Bare minimum, or you will get cracked sooner or later if you on a leased line.

It's unfortunate that we need to have so many things running, but we do. And the server has to be accessible to everyone. Since the machine is colocated at an ISP we're going to see if we can pay them to back it up to a tape drive on one of their servers. Unfortunately I think this will probably double what we are paying. Yes, it's our fault that we didn't invest the money for backups but the script kiddie still deserves to pay if we can catch him!

Todd

Every 45 seconds, another arrest for Linux. 695000 last year. It's time for a change.

I need a howto on busting script kiddies. A script kiddie breaks into our server with the wu-ftp exploit, and sets up an irc bot. We immediately patch the holes and delete his bot (after making a copy of all the bot's config files.) It's too late though because the malicious little bastard has already set up a back door and he logs in as root and does "rm -rf/"

Well, I know the channel where he keeps his bots on IRC, but that's all I know about him. How do we locate him though? How do we collect on hundreds of hours worth of labor that he destroyed? We aren't a big company, just a group of people paying out of our own pockets and credit cards to try to start our own business--we didn't even have enough money to afford a tape backup for the server. I'd love to nail the little bitch.

ToddEvery 45 seconds, another arrest for Linux. 695000 last year. It's time for a change.

Not sure if it's the same person in regards to the localhost login attempt -- look at the timestamps -- it was four hours later than the activity from 209.190.67.111. Not sure what that means.

Anyway I would at least suggest setting your /etc/host.deny and/etc/hosts.allow to block access to ftp and telnet ports from all IP addresses (in hosts.deny) then list trusted IP addresses in hosts.allow.

Really, as the other respondents to your post mentioned, backups are essential. Try checking out the misc.forsale.computers.x news groups via dejanews. You can always pick up an older adaptec scsi card and even an older 1/4 inch tape drive to hang off it. This is easy to set up for your Linux box(en). At least that's something.

I wonder how many read/. readers are (or were at one time) script kiddies. Maybe we could have a poll, Rob? I have x r00t sh311z: [] 0 [] 1(on my own box) [] 2-5 [] 6-10 [] 11-20 [] I own you, bitch Seriously, though, I liked the article, if we could find some way to chanel all that energy into learning to code and writing free software, wow! So hax0rs and wanna be script kiddies take note: it is way more el33t to write free code. Oh, yeah, and chicks dig real programmers;-)

I disagree. IMO, BY DEFINITION, script kiddies are "intelectually" [sic] challenged. Most cannot construct a simple, complete and properly spelled sentence. Most are high school or college age (but aren't necessarily in high school or college). Most are typically antisocial and surprisingly, most are *proud* of being a "script kiddie" and universally despised as a cockroach of the Internet community.

Hah, you know, I just realized, you fit the bill perfectly. What's the difference between a 16yo script kiddie and a 16yo "former" script kiddie anyways?

That second paragraph was meant more as a joke than a real insult. I'm sorry it was taken so seriously. I honestly intended to write some more and add a few smileys, but IE is pretty particular about which keystrokes are allowed in a form and which keystrokes are designed to submit it.

I hate it when people say this kind of thing. It IS stupid to not have backups available on a production machine, but that does NOT mean he "deserved" the attack. Disks did not fail, a power surge did not destroy the equipment. It was a deliberate, FELONIOUS attack and the person responsible needs to be held accountable for the damages.

Just because backups weren't available does NOT mean attacks are OK.

It's like saying a sysadmin DESERVED to be attacked because he didn't patch some obscure security hole. Nobody is perfect. These things slip through and it in NO WAY means that attacks are justified.

You have no idea how loudly I applaud when I hear news of some script kiddie being charged and prosecuted for the crap he pulls. All it takes is some work (sometimes very trivial work) tracking him down, recording everything that's happened, and he can be nailed.

Most script kiddies don't realize it, but these damages can easily reach the tens if not hundreds of thousands of dollars. I simply cannot WAIT when more of these idiots start getting caught and their parents start losing things like their house or their car to pay for the damages.

I'm guessing that the ISP doesn't really care, since it really isn't liable for any of the SK's actions. Plus, it's pretty much your word against theirs...The ISP might be unwilling to help because there isn't ample evidence that the user is doing illegal activity.

If you have enough money to get started at all, you can't possibly afford to NOT have a tape backup, as this incident illustrated for you. A cheap tape backup is not all that expensive, and if you can't even cough up a couple hundred for a tape backup, you can't possibly have enough money to get off the ground anyway. Even without script kiddies, accidents do happen. Had a guy at a company I used to work at do an rm -rf * before he realized that he had typo'd his cd to the directory where he wanted to clean up, and he was logged in as root, and thus being on an AIX box, had started in / (A better rationale for/root being root's home directory I have never seen...). He caught it before it finished and ^C'd it, but not before it was done wiping out most of the system.

NT is much more easily crashable out of the box. There are a lot of fun buffer overflows in the TCP stack that can drop a server in no time.

Breaking into an NT box usually just requires a few minutes with a decent crack kit. Most admins don't turn on encrypted passwords, don't require strong (i.e. non dictionary) passwords, leave 'administrator' called 'administrator', and allow anonymous browsing. With all that, you can easily extract a user list in a couple of seconds. Once you have that you can sniff for password hashes and run a dictionary attack against them.

Out of the box, Linux's security depends on which box you opened. RedHat 5.2 is the best that Redhat has done so far, although they still leave too much stuff turned on in inetd.conf. (Come on, finger?!?!) I don't have much experience with any other distros.

At least with Linux you can shut off the crap you don't use. Just try to shut down excess cruft on an NT server - a lot of it is not even optional anymore.

Ask your manager if he trusts Solaris out of the box. Then show him all the patch CDs that come with that you have to install, plus the current list of patches to go download. Commercial != secure.

As someone else said, though, any fool who trusts the out of box experience to protect their corporate assets deserves what they get.

Collect this information to files on some other disk. Check the offset of your hardware clock, so when you see some time in your logs you know +- few seconds what exact time was it. Do traceroute and whois ip_number@whois.arin.net and @whois.ripe.net . Write to admins of those networks.

That may have been in the past, but not anymore. Most of today script kiddies are just troublemaker : the fact that they are making trouble with computer is merely coincidential. They would breaking windows if it was'nt for the fact that being a "haX0r" is now considered cool. Lazy, bored teenager, that is what they are...

An unfortunate fact is that most of them don't even consider their behavior harmful. Smurfing your network is a victimless crime in their little narrow mind; they can't conceive it's somebody's job to keep that network running. They lack education of the real life type.

If you really want to help them, kick their butt. Maybe we could teach them some respect that way.

...you were something like this? So much of what I've seen in the *nix community is like a pissing constest...you might not be bragging about rootshells or how 3133t3 you are, but that only means that the beam has been raised higher. I like the way the article points out that you tend to learn in this silly hobby, which is something you can't exactly say about being good at Quake. Yes, it's a waste of time, and bears the same relationship to real hacking that paint-by-number kits do to actual oil painting...but more people tend to go on to real hacking than advance in painting...it's just more fun that way!

Seemed almost a echo of #linux, a year ago, I gave up on IRC because of scriptkiddies, and questions about how do I compile eggdrop/boink/smurf. How many times do you have to have someone try somthing stupid to give up? This HOWTO is a sad testament, to the sheer volume want-to-be crackers out there.

Well he port scaned you. look to see what services you are running, are you using imap, pop3 or ftp ? turn them off, if your not.

localhost thing is a bit odd, not tring to be a alarmist but that looks very fishy. check all your logs first, if there is any question unplug the network connection to the system, and go over it with a fine tooth comb.

The only truly secure ststem is one that is not connected to the network and off.:)

Remember backing up and staying current are your first and best friends.

Now I won't say this isn't your fault, but it is a little like leaving your bicycle outside on the front lawn in a bad neighborhood overnight - it's going to get stolen.

You have to have backups, even it it's just copying the files to another drive or to another computer on the network. You have to use hosts.allow/hosts.deny, and you have to turn everything off you're not using - Red Hat is especially liberal with inetd by default. Bare minimum, or you will get cracked sooner or later if you on a leased line.

That said, I know a little how you feel. Someone used the mountd exploit on me a while back (RH 5.1), but was unable to install his 3l33t root shell. He left his.bash_history in my root directory too. The shamefulness of being hacked was made a little more bearable by seeing how clueless he was with bash. At worst the experience turned me on to all the stupid shit they try to do.

No kidding. Windows networking still has (IMHO) to be properly worked out in terms of security. From what I've seen with it's installed setup, also, there is much less information available to systemadmins by way of logging, etc. It's particularly bad to have Windows network enabled AT ALL if you've had a hack, because the more intelligent script kiddies can take your password files and use them to break in again through the server message block protocol thingie. This is made really easy with samba, because they can get the source to it, and just cut it back so that instead of hashing a password and sending it, it just sends the hashes straight out of the password file that they've copied form your computer. (Bad thing)

I haven't played around with it a lot, but my understanding is that logging with windows networking is minimal.

I hate that everyone's recommendation for securing Linux is to turn off everything. Yeah, that gives me a server that does absolutely nothing useful. How useful is an OS where you can't have mail services running?

Don't get me wrong, we use Linux at work on a couple of servers and on our laptops, but I don't buy into turning off every service to secure a system. How come my Solaris, Netware, and FreeBSD boxes have never been hacked even though they run all the services? Barely a day goes by now that someone doesn't try getting into one or both of our Linux servers using the Rootkit tools. Hosts.deny keeps them out, but also will keep us out if we are ever at a remote site that we didn't account for in the tcp_wrapper config files.

We have found that installing the newest versions of all the services does make for a fairly secure system. However, we're still afraid to run NFS on them.

I just bought a SGI Indigo2 with 128mb RAM, a 20" monitor and a 2 GB hard disk for $ 1,150. Nice little system. I think you can be a hacker in that, if you want to be a bit more creative. Seems to me that gives you a big more bang for the buck than a SPARC, at least nowadays.

The reseller told me that even high school students are buying them now -- but mainly to look impressive. I think he enjoyed selling to someone who knew what he was buying for a change:-).

Amusingly enough, I bought it instead of a PC running Linux in part because a first class PC would have been a lot more expensive! How the mighty have fallen:-(.

If you've been broken into, first thing you should do is take it off the network ASAP. Then, if you like, you can try and track down where he came from by looking through the logs. Note though that most script kiddy root kits do a pretty decent job of covering their tracks once they get in. And really, finding the little twerp should be secondary to getting your own machine online again.

This is where you demonstrated the greatest failure - your system has been compromised, so as far as you should be concerned, every binary is untrustworthy now. ls could have been modified to not show their files, ps modified to not show their processes, and there's probably a number of setuid root bash binaries lying around. The only truly safe thing to do is reinstall the OS from scratch - trying to track down all of their modifications is a waste of time, and you'll probably miss a few anyways, with potentially disastrous results.

In the future, it's always worthwhile to invest in tape backups (if you can afford the server, surely you can spare about $200 more? this doesn't have to be some super-automated DDS3 drive...), and to keep up to date with security patches.

Very good summary. These types of NT exploits (as opposed to IIS buffer stuff), don't get much press because they are actually really really old. NT 3.1 and Lan Manager servers were comprismised by the same strategy as L0pht, and really not much has changed. I would imagine that this stuff is such old news that it's not even as 31331 as hacking a RedHat 5.1 box.

A year ago, I would have guessed that 75% of NT Internet servers were running with the Lanman service and Ports 137-9 wide open. Recently, things have tightened up a bit, but I'm sure there's quite a few NT admins repeating "C2 Security" over and over again.

The script kiddy was clearly in the wrong and, in this case, deserves to get his teeth knocked in. But I only have so much sympathy for someone who takes their security and backup so lightly. Especially when that person advocates the use of Linux over NT -- blindly. If it wasn't the script kiddies rm -rf/, it'd be a mistake at your own hands at some point or another. Cheap backups systems can be had for next to nothing. At the very least, you log to a remote system to discourage the kiddy from rm -rf / -ing as a method of covering his tracks.

NT4.0 is fairly secure SOTB(Straight Out of the Box). For two reasons: a) Not much runs on it by default b) It is highly inflexible

This is not to say that MS has any real security genius. Its just RedHat doesn't seem to feel that SOTB security is that important. Furthermore, if you look at the number of exploitable bugs relative to the number of services and programs offered RedHat really isn't any worse off. NT enjoys two things -- in the short run:

a) Low visibility b) Security through obscurity.

If and when NT ever supplants Unix, I guarantee you that it will be far more vulnerable to script kiddies. As it stands now the current system admin is totally ignorant as to the security layout of his NT system(s). There is very little review of NT's security -- it is closed source. However, this security through obscurity thing will burn off shortly. NT hacking simply doesn't have enough inertia yet. If NT ever gains the same install base on high profile systems many security people and hackers will start coding overflows and what not for NT, it will have a snowball effect. There will be far more eyes on NT's security holes, albeit with debuggers and hex editors, than there will be eyes on security looking at the source. These exploits will be passed around underground-- it'll most certainly be distributed faster than MS will respond.

As it stands now, if I were a going to setup a network today, knowing what I know, and ignoring performance issues, i'd definetly run Linux or BSD. Because I can simply know with a reasonable level of confidence that I am secure. This can never be said for NT.

RH 5.2 will be better, assuming that NT4 is still at SP1. NT with the current service packs applied isn't too bad. The main thing with RH is to turn off everything you aren't using. There's a pretty decent intoductory article at Linux Gazette: http://www.linuxgazette.com/issue34/vertes.html

No matter what platform you choose, you absolutely must keep tabs on security news. You can not expect to remain secure while neglecting your servers... the crackers certainly are doing their homework... you should, too. If a root/admin exploit is discovered for your OS you must find out in a timely manner if you intend to do anything about it. The Bugtraq (for Unix) and NTBugtraq mailing lists should be required reading if you are maintaining internet servers.

The question is "Right Out of the Box"... The NT4 I've been installing (and reinstalling) dozens of times comes "out of the box" at SP1. The comparison stands.

It's an entirely different question to ask what a *sane* admin would do. Of course, then, you will install the SP's up to (and past) SP4... Given equal amounts of effort, you could come up with a pretty seriously locked down RH5.2 box.

Rules #1 and #2 are a little impractical. Most of these crackers are pretty clueless, they could come from anywhere and they have no special interest in your system.

Yes, they're a pain. Problem is that, in amongst the script kiddies, there's likely to lurk one or two who actually know what they're doing. Scrubbing and reinstalling from clean copies is fast, but it doesn't leave you with any idea how the intruders got in. If they were SKs you're fine, but if they weren't they now know that you've seen them while you don't know that you have a threat still present.

And even with the SKs, tracking down how they got in lets you close up the holes so that more don't get in. If you don't close the holes, you're just going to keep getting hit. If you do close them, though, the number of intrusions drops off, leaving you more time for more useful work. That's where the payoff is: tracking down one cracker closes the holes that a couple of thousand of his cohorts could have used and you won't have to deal with them.

Rule #1: never reveal to an intruder that you know that he's there until after you've tracked down everything he's modified and are in a position to remove his additions. When you spotted his bot, you should have left it alone and started checking the rest of the system for modifications, removing the bot and closing him down only after you were sure you'd closed all the other holes he'd opened.

Rule #2: once you have removed an intruder, assume he'll be back and continue to monitor for him. If possible, stop all legit non-local ( network or modem ) access so that any such access must be the intruder. When he shows up, watch his every step without revealing yourself to him and see what he goes for.

Rule #3: always have backups. Always. If an intruder gets in it's almost certain that he'll destroy something, even if only by accident. You should always be in a position to let him destroy things, if for no other reason than to watch for what exploits or backdoors he uses in the process. I follow the old MS-DOS system rules: keep backups of data for a long enough time that you can get a clean one by going far enough back, and restore programs and such from clean distribution media or sources rather than depending solely on backups which could be corrupted by an intruder who's been in long enough.

I'm sorry, but I work as an SGI admin, and I just have to disagree. Try comparing that Indigo 2 to the computer you can get for $1150. I have an AMD K6-2 300 w/ 128 meg ram and 8.4 gig HD, cost me $700 back in october, though that's without monitor, but it's brand new. In CPU power it can kick an Indigo 2's ass easy. Comparing an Indigo 2 to a first class PC is just unreasonable. New SGIs are way overpriced, maybe the used ones are ok though, I guess $1150 isn't too bad. The new O2s start at like $5000 or so, it's ludicrous for the machine you get.

BTW, um, I hope you have that machine behind a firewall, because SGI security sucks. Though Irix 6.5 improved that, but you're more likely to have 6.2 on an Indigo 2. Make sure to close the 4 default accounts that have no password(lpr and etc.), make sure to disable the xhost + on login(lets anyone anywhere connect to your X server... when I first found that I was in such disbelief... found a program though that would let me monitor ppls keystrokes remotely... connected fine.:/(was monitoring my own keystrokes actually, but from a remote account)), and of course the standard, disable anything in inetd.conf you don't use.

reinstall? sheesh, the only reason he got in was because you forgot to do the security upgrades.. now you're reinstalling the os without any security upgrades?

Actually it's probably the best course of action since you don't know which files were replaced/added with backdoors, especially if you don't run something like tripwire. I believe the procedure is to reinstall and immediately apply all the security patches then bring the server back online after restoring data and securing.

Windows NT may be more secure out of the box than some Unix-like systems because it provides fewer services by default. On the other hand, a Macintosh-based server will be even more limited (can TELNET do anything useful on a Mac?), and hence even more secure. Mac-based web servers are probably the least hackable ones in the Internet.

Depends... If the NT machine isn't connected to the net, it's pretty secure:) I would bet there's not a hugh difference, although I'd feel better with linux. In my opinion, though, anyone who puts an out of box setup live on the net, regardless of what os it is, is asking for trouble.

NT has a ton of security holes too. Lots of denial of service attacks mostly. If you have sharing enabled at all, that's a bad idea.

Even though Linux is fairly insecure right out of the box, it is easy to fix. The easy way: 1. edit inetd.conf to remove any service you don't need. 2. install all of the RedHat updates (if you have redhat), basically, just make sure you are running the latest version of any network stuff. 3. Use ipchains. Ipchains is firewalling software, and it works excellent if you know how to set it up correctly. If you are just setting up linux as a webserver, install the latest apache, install ssh, set ipchains to deny all by default, and add rules to allow traffic into port 80(http), and traffic into port 22(ssh). You can transfer files with scp, or if you really need ftp, open it up to only the host, or network that you need access from.

I have a linux machine with this exact setup (took 20 mins to set it all up), and it's been running with no successful breakins for about 6 months. And it was getting attacked everyday for quite awhile.

Turning off a service guarantees you that this service cannot be exploited. That does not mean it is exploitable, but you reduce the chance of a breakin through that single service.

There are a number of services which have a bad security reputation. Especially finger is a service almost nobody really needs, so it is safer to simply turn it off. The same rule applies to many other things such as talk, all r* services, netstat and probably more.

Don't forget that is not a kernel issue, but an user-level issue. Exploits generally exploit errors in daemons (such as sendmail, ftpd etc). So, if your ftpd is exploitable, it does not matter whether it runs under FreeBSD or Linux.

Many system Administrators make a good living by catching these idiots and making sure they get the full force of the law breaking down their doors. I was talking to a system admin recently and she was amazed how lame the people trying to penetrate the systems she watches were. Doing things like typing instead of substuting the actualy command. She thinks they are reading straight from a piece of paper. I am suprised they can read.

Amazingly enough, that HOWTO contained one piece of information useful to me. It pointed me to www.cheapbytes.com. I needed an upgrade to my Linux machine, and don't want to suck a whole distribution down a 28.8. I've got the doc, so I don't need the box. They ship CDs, cheap. What can I say? K-Q00L! (I guess I should return to my role as mild-mannered online security geek now...)

I'd begin by patching wu-ftpd or replacing it with glftpd. I am pro glftpd. Also, what distribution are you running. I run glftpd and wu-ftp(with all the patches) and someone got through the wu-ftp through the back door but I had a nice perl script set up to tcp blast anyone that did what he did. Mofo never had time to mess with my machine.

I'm a first year university student and we use Pentium II 450's that run Win98.

Most of the students in this course say they're crap (probably due to the widespread thought that its "kewl" to bag out out Microsoft)

Personally, I don't appreciate it when the computer crashes when all I do is log in and load up Eudora.

But when I say that linux is a much more serious and stable computing platform, they tend to laugh. Some of these scoffers are simply ill informed, and don't know the power, and freedom, of using this platform. Others are the fools that this pun is aimed at satiring. They find fun in using D.O.S programs in IRC, just to piss people off. Another fondness is the displayiong of large Ascii pictures. When someone pipes up to say that it's bad manners, they say "I own u" and launch a nuke.

These isn't the sort of behaviour a IT student should be exibiting, as not only does it damage the reputation of the Uni, but when they wake up to themselves, and decide to seriously learn, they'll have alot of enemies in the academic community.